This invention relates generally to network communications, and more particularly to security measures for protecting network communications.
The Internet has entered the new millenium as the most important computer network of the world. Everyday, millions of people use the Internet to communicate with each other and to gather or share information. Moreover, electronic commerce (xe2x80x9cE-commercexe2x80x9d) using the WorldWide Web (WWW) of the Internet as its backbone is rapidly replacing and changing the traditional way of commerce based on conventional brick-and-mortar stores.
The security of communications over the Internet, however, has always been a major concern. This problem is related to the underlying network communication protocol of the Internet, the Internet Protocol (xe2x80x9cIPxe2x80x9d), which is responsible for delivering packets across the Internet to their destinations. The Internet Protocol was not designed to provide security features at its level of network communication operation. Moreover, the flexibility of IP allows for some creative uses of the protocol that defeat traffic auditing, access control, and many other security measures. IP-based network data is therefore wide open to tampering and eavesdropping. As a result, substantial risks are involved in sending sensitive information across the Internet.
To address the lack of security measures of the Internet Protocol, a set of extensions called Internet Protocol Security (xe2x80x9cIPSecxe2x80x9d) Suite has been developed to add security services at the IP level. The IPSec Suite includes protocols for an authentication header (AH), encapsulating security protocol (ESP), and a key management and exchange payload (IKE). A significant advantage of the IPSec Suite is that it provides a universal way to secure all IP-based network communications for all applications and users in a transparent way. Moreover, as the IPSec Suite is designed to work with existing and future IP standards, regular IP networks can still be used to carry communication data between the sender and recipient. The IPSec Suite is also scalable and can therefore be used in networks ranging from local-area networks (LANs) to global networks such as the Internet.
Performing network communication security operations under the IPSec protocols, however, does require extra overheads; one of them being the maintenance and retrieval of data needed for performing the security operations. Under the IPSec protocols, for each communication stream to be secured, a set of security parameters for the authentication and encryption operations for securely delivering packets of this particular communication stream has to be negotiated first. This set of security parameters, collectively called the Security Association (xe2x80x9cSAxe2x80x9d) for the communication stream, then has to be stored in memory by an IPSec driver for use with subsequent packets of the communication stream.
Besides the SA data for different communication streams, the IPSec driver typically also maintains a plurality of filters for implementing security policies. Under each filter, there may be multiple SAs, each of which has been negotiated for a communication stream that matches the filter. Depending on the complexity of the security policies and how heavy the network traffic through the IPSec driver is, there may be many security policy filters and a large number of SAs associated with each filter.
For each IP packet passed to the IPSec driver, the IPSec driver has to determine whether the packet matches a policy filter. If a matching filter is found and the packet is to be secured under IPSec, the driver then has to locate the SA, if it exists, for the communication stream to which the packet belongs. This lookup operation for the matching filter and SA is performed on every packet passing through the driver. In a computer system with many filters and SAs, this lookup operation of finding matching filters and SAs can be very time consuming and can become the performance bottleneck for network communications secured under the IPSec protocols.
In view of the foregoing, the present invention provides a system and method for retrieving security data for secured transmission of network packets, such as Security Associations (xe2x80x9cSAsxe2x80x9d) of IPSec that uses a caching mechanism to significantly enhance the speed of retrieving the security. The caching mechanism uses a cache table with multiple entries. Each entry of the cache table stores data that identifies a communication stream and the security data or an exempt filter applicable to that communication stream. When a packet passes through the system, an index value is derived from the communication stream data of the packet. The cache table entry corresponding to the derived index value is then retrieved and compared to the packet. If the retrieved cache table entry matches the packet and contains security data, the security data are used to secure the delivery of the packet.
Additional features and advantages of the invention will be made apparent from the following detailed description of illustrative embodiments, which proceeds with reference to the accompanying figures.